Scribd
Upload
43 views27 pages

CAU 05 Conjur - Fundamentals Authentication

This document provides an overview of authentication in Conjur. It discusses key concepts like users, groups, hosts, and layers. It describes Conjur's role-based access control model and the interfaces for administration and secrets retrieval, including the UI, CLI, REST API, and Summon. The goal is to help participants understand Conjur authentication and learn how to access Conjur for administration and retrieving secrets.

Uploaded by

Wowantus
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
43 views27 pages

CAU 05 Conjur - Fundamentals Authentication

This document provides an overview of authentication in Conjur. It discusses key concepts like users, groups, hosts, and layers. It describes Conjur's role-based access control model and the interfaces for administration and secrets retrieval, including the UI, CLI, REST API, and Summon. The goal is to help participants understand Conjur authentication and learn how to access Conjur for administration and retrieving secrets.

Uploaded by

Wowantus
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 27

Authentication

This lesson provides an overview on how to


authenticate and access Conjur for
administration and secrets retrieval.

Upon completion of this lesson the participant will

Lesson
be able to:

Objectives ► Understand the key concepts and terminology


related to Conjur authentication

► Learn the interfaces and tools for Conjur

► Learn the Conjur authentication workflow

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


Conjur Identity

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Users Groups

• Human user account used for authentication and • Collection of “Users”, “Groups”, and/or “Roles”
authorization • Each Group is assigned a unique ID
• Unique “login” (username/ID), API Key, and optional • Adding a Role to a Group gives the Role all the
“password” per user permissions held by the Group
• API Key = randomly generated secret assigned by • Records can be assigned to Groups for ownership
Conjur and survivorship
• API Keys can be redeemed using “login” and
“password”
• Username cannot contain special characters
(“ : / . “) BUT “@” is supported

COMMON USE CASE:


Interactive human access for administration purposes 4

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


Hosts Layers

• Non-human user account used for authentication and • Logical container for Hosts which perform similar
authorization jobs or functions

• Unique Host ID and API Key assigned for • Each Layer is assigned a unique ID
authentication
• Adding a Role to a Layer gives the Role all the
• API Key = randomly generated secret assigned by permissions held by the Layer
Conjur

• Hostname cannot contain special characters (“ : / . “)


BUT “@” is supported

COMMON USE CASE: COMMON USE CASE:


Identity for applications and non-human processes for A Layer owns a Variable granting member Hosts
secrets retrieval and/or Conjur administration access 5

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


RBAC TRANSACTION

• Conjur Authorization Engine ROLE RESOURCE

• Create and Maintain Authorization Rules → Kind PERMISSION → Kind


→ Identifier → Identifier

• Respond to Authorization Requests

Identifies the SUBJECT


Role:
(users, machines, or groups)
Identifies the ACTION
Transaction = Does role “X” have Permission: (create, read, execute, update,
permission “Y” to resource “X”? delete)
Identifies the OBJECT
Each Transaction contains 3 parts: Role, Resource:
(secrets)
Permission, & Resource
6

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
• Authorization service maintains catalog of
roles, resources, and permissions
• Controls access to resources for all Conjur
interfaces
• Hosts or Users must have permission on a
policy to read, write, or execute resources
within the policy.
• Each role and resource is assigned a unique
identifier

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Roles
• Role is an “actor” in Conjur (human or non-
human)
• Roles are identities that receive Grants
• Grants provide Permissions on a Resource

Grants
• Roles can be granted to other roles
• Roles granted are fully inherited

EXAMPLE

If Role A is granted to Role B,


Then Role B is granted all permissions of Role A 8

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Resources
• Records stored in Conjur
• Partitioned as kind such as group, host,
variable

Ownership
• Role who creates a Resource is initial owner
• Ownership can be granted to another Role

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Permissions
• Relation between Role and Resource
• Assign in policy using !permit statement
• Default permissions
– create, read, execute, update, delete
• Owner of Resource can give permission to a
Role

10

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Conjur Interfaces

11

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Interfaces: Administration and Secrets Retrieval
Flexible / Easy-to-Use Interfaces

Conjur UI Conjur CLI


• Enterprise Web UI • Command-Line Administration
• View Conjur Resources Tools
• Manage & View Conjur
Resources

REST API Summon


• Powerful RESTful API • Secrets Fetch & Injection
• Ruby, Java, Python, Node.JS, • Declarative Methods
and .NET C# • Invoke w/ Authenticated
• Manage & View Conjur Identity
Resources 12

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Conjur Web UI
• Visible dashboard for health
status, monitoring, and
reporting
• Audit & review users, hosts,
groups, layers, policies, and
secrets
• View visual diagrams of
resources and associated
permission controls

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Conjur CLI
• Powerful, robust command-line tools
pre-packaged to support several
platforms
• Open Source and hosted via GitHub
(https://github.com/cyberark/cyberar
k-conjur-cli)
• Easy installation onto any system
requiring administration access to
Conjur
• Use --help option to display
command help

• Policy Management
• User & Host Management
Common
Usage • Listing & Searching
Resources 14

• Secrets Management
Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
cyberark.com
URI

Request
REST API Overview Headers

• Powerful, robust administration and Content-Encoding: base64


Content-Type: text/plain
access controls using RESTful API calls
Body
• Seamless integration, easy code injection,
and popular DevOps toolchain
integration/support (Jenkins, Ansible,
Puppet, Chef, GitHub, Docker, OpenShift) Response 200
Body
• Temporary API access tokens for
authentication and security
• Native programing language support for
Ruby, Java, Python, Node.JS, and
.NET C#

https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-
DAP/Latest/en/Content/Developer/lp_REST_API.htm
15

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
PROCESS ENVIRONMENT
Summon Overview
Code That
• Open Source tool to help developers get Requires A Secret

control of secrets while using source control


• Pluggable provider to retrieve secrets
• Map environment variable to secrets SUMMON

identifiers using YAML (secrets.yml)


• No secrets remain after process exits

Use Web Applications, Deployment Scripts,


Cases SECRETS PROVIDER
Puppet/Chef Runs, DevOps Toolchain

https://github.com/cyberark/summon 16

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


Conjur
Authentication

17

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Conjur Authentication Workflow

1. Requester presents credentials to prove


identity Request: authn
1
2. Conjur verifies the credentials, then returns Application Response: token Conjur
a short-lived access token 2
Request: token + request
3. Requester presents the unexpired access 3
token along with each request to access
Response: allow / deny
the Conjur database 4

4. Each request must comply with Conjur


RBAC rules as recorded in policy.

18

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


Access Token
• Almost all Conjur requests must include a valid access token CONDITIONS:
• Exceptions include init, authn login, and pubkeys show
1. Token must not be
• Short-lived access token after successful authentication
expired
• Token is valid for 8 minutes (default)
2. Token signature must be
Token Format verified by Conjur
• Token format is JSON Web Token (JWT) ** Reject immediately if
• Cryptographically signed by Conjur private key (RSA 2048) conditions not satisfied
• Includes host_ID or user_ID and expiration timestamp
• Conjur uses OpenSSL to generate RSA key pair, validate, and sign tokens

How to obtain an access token?


• Authenticate using Conjur CLI with valid user or host identifier
19
• Authenticate using Conjur REST API with valid user or host API key
Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
IDENTITY ATTRIBUTE AUTHENTICATOR

API Key, Host Factory Token, Access Token authn (default)


Application
IAM Roles authn-iam

Azure Resources authn-azure

Google Cloud Resources authn-gcp

Namespace, Deployment, Stateful Set, Others authn-k8s

JSON Web Token authn-jwt

Conjur
OpenID Connect (OIDC) Identity Layer authn-oidc

LDAP User Credentials authn-ldap 20

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


• Conjur supports use of different authenticators
• Multiple instances of same authenticated
supported
• ONLY authn is enabled by default
• Authenticators are provisioned through policy
and Conjur configuration settings

Example Based On IAM Authenticator:

1. Define a <authenticator-type>.yml policy file and More information on Conjur Authenticators:


load it in - Supported Conjur Authenticators
2. Define an application identity (host) in Conjur for
the AWS resource
21
3. Enable the IAM Authenticator
Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com
cyberark.com
Conjur Default
Authenticator (authn)

22

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Conjur Default Authenticator Overview (authn)

• An API Key is an alphanumeric string with length


of 51 to 56 characters
• API Key can be rotated later using the CLI or API.
• Requester presents an API Key to be granted
temporary access to Conjur
• Conjur verifies the credentials, then returns a
short-lived access token
• Each subsequent request to access Conjur will
include the temporary access token

authn
23

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


authn: Application Credentials
Files Variables

• Information includes unique identifier, secret key, and • Apply machine identity via environment variables
configuration information
USE CASE: Applications or tools that accept configuration
NOTE: “/etc/conjur.identity” contains the machine’s API key and through the environment (Docker containers, Jenkins jobs, Heroku
should be kept secret. Good practice is to symlink this file apps, etc.)
from /dev/shm.
Variable Description Example
• Remaining files do not contain sensitive information and can
account
be freely shared CONJUR_ACCOUNT specified during myorg
Conjur setup
Conjur HTTPS
CONJUR_APPLIANCE_URL https://conjur.myorg.com/api
File Type Contains Security Concerns endpoint

CONJUR_AUTHN_API_KEY host API key sb0ncv1yj9c4w2e9pb1a2s…


Only accessible by
/etc/conjur.identity netrc Identifier and secret key CONJUR_AUTHN_LOGIN host identity host/production/redis001
root
Conjur JSON access
/etc/conjur.conf yaml configuration Only writable by root eyJkYXRhljNTdjOWJkNWQ1ZDgyDgyY
CONJUR_AUTHN_TOKEN token, base64
TU0In0…
encoded
/etc/conjur.pem certificate Info from conjur server Only writable by root policy namespace (for
CONJUR_POLICY_ID Redis-v1
variables)

CONJUR_SSL_CERTIFICATE public Conjur SSL cert -----BEGIN CERTIFICATE -----

CONJUR_AUTHN_TOKEN requires CLI version 5.2.0 or greater. 24

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


Summary

25

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
In this session we discussed:

• Conjur Identity

• Conjur Interfaces

Summary • Conjur Authentication

• Conjur Default Authenticator Overview

26

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com


Thank You

27

Copyright © 2023 CyberArk Software Ltd. All rights reserved. cyberark.com

You might also like